On Cloud (Computing) Nine: Cloud Computing Contracts

Cloud computing is becoming the primary platform for web applications and the online distribution of increasingly complex and sensitive data. For many companies, cloud computing contracts inadequately address privacy and security risks. It is imperative that if your business is entering into a contract with a cloud computing vendor, the contract clearly sets out liability clauses and mitigates unique risks that arise from this form of technology.

IT contracts for cloud services differ substantially from traditional contracting models. From a technical perspective, IT infrastructure capacity is highly elastic. Elasticity means cloud server capacity can be dynamically reconfigured to adjust to a variable load depending on how many users are accessing data. Accordingly, there is an elimination of an up-front commitment by clients as they often pay only for what they use, compared to traditional IT hosting. These characteristics highlight not only the illusion of infinite resources but also how the location of data processing is not always known, predetermined or agreed to contractually.

Dude, Where’s My Data?

The physical location of data, coupled with its virtual state in the cloud, raises several issues regarding the validity of cross-border contracts and data security. Unlike traditional IT contracts whereby the law governing the Service Level Agreement and the choice of court in dispute resolution is clear, cloud computing raises new challenges. Given the potential movement of data across multiple jurisdictions, and the consequential inconsistency of confidentiality protection in differing jurisdictions, a client may find that their data may not be entitled to the same protection as contractually obliged. It is imperative that each cloud computing contract is drafted specifically for the vendor and the client.  Vendors should offer comprehensive and unambiguous jurisdiction clauses, including a list of the regulations and statutes that govern the site where data is stored and how compliance is executed.  

As the processing of data in the cloud can take place across different servers in different countries, or in a shared-tenancy cloud-computing environment, privacy concerns are paramount. The Privacy Act 1988 (Cth),  USA PATRIOT Act and European Union Data Privacy Directive all vary in coverage and effect of data protection and privacy. For Australian cloud computing vendors, consideration of the Australian Privacy Principles (APPs) is also a requirement.

What Should I Look For In A Cloud Computing Contract?

If you are a client using cloud computing technology, you can minimise the risk of security breaches by conducting your due diligence procedures such as knowing where your data is stored, and ensuring protocols are implemented to monitor continuously vendors and how data is handled.

Most shrink-wrap and click-wrap agreements only allow clients to view the terms and conditions of the contract after purchase. As these contracts may involve limited liability clauses or vendor subcontracting agreements, clients are not often given an opportunity to negotiate their terms and to scrutinise the terms of their licenses closely. If you are considering entering a cloud computing contract, you should use your power to negotiate how your software is installed to comply with your requirements,  and how data is stored and processed.

Key Takeaways

The innovation of cloud computing presents unique complexities and legal implications. Cloud computing clients should carefully scrutinise their contract before signing to ensure they understand the location and method of data storage. Our IT lawyers can assist with drafting or reviewing cloud computing contracts.

Questions? Get in touch on 1300 544 755.